a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c

Analysis

max time kernel
50s
max time network
55s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c.exe
Size

76KB
MD5

7be2f5fa4830de9f0f219c8505966ef5
SHA1

081a32190d3ecbdefab1de8b6369d1cded0873ba
SHA256

a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c
SHA512

74244699a5d3dca58d639675794b432179db581986bfb332f330137f8db3655abeb0fe7cc8a5a54eefe1fe5aaebd3143e1867b78d82334478f042cd09fb5f75b
SSDEEP

1536:/nd47nXPeFCi0Jn+mIeTs3xEXf6/Dj6r/q97vKux7N+bpAn1gAL:fdk9Q8sSv6D2rCvXx5+beL

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 668	1668	a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c.exe	28
PID 1668 wrote to memory of 668	1668	a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c.exe	28
PID 1668 wrote to memory of 668	1668	a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c.exe	28
PID 1668 wrote to memory of 668	1668	a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c.exe	28

C:\Users\Admin\AppData\Local\Temp\a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c.exe
"C:\Users\Admin\AppData\Local\Temp\a2ddf5e7abe6e49fd63241335f203607005d6f224b6c43b92bd320cf8bd9181c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Hqz..bat" > nul 2> nul
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hqz..bat

Filesize
274B

MD5
e3cdf919721174f3ab8dbf8dd3e87dd1

SHA1
1af149dced4d21fb5166aef29920581f9710c44a

SHA256
0b431ccaf603b7ad4d5755751a371d3e1bdae1beef2cda834c9fd7c0889a8269

SHA512
d3e7fedd4f6bf168b336d8451df0bb36ad6cca3befaa59d94f5295e955a7b25f40d2155e7fed40c6ea78cba3b8123a04aa1b7a2fdc544fcbc35dfc2934a87142

Download Submit
memory/668-57-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1668-56-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1668-58-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download